A USER GUIDE TO DATA PROTECTION IN THE

Your rights & how to exercise them

accessnow.org Access Now defends and extends the digital rights of users at risk around the world. By combining direct technical support, comprehensive policy engagement, global advocacy, grassroots grantmaking, and convenings such as RightsCon, we fight for human rights in the digital age.

For more information, please visit: https://www.accessnow.org Contact: Estelle Massé | Senior Policy Analyst | [email protected]

This guide is an Access Now publication.

This work is licensed under a Creative Commons Attribution 4.0 International License. A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 3 INTRODUCTION

Access Now presents A user guide to data protection in the European Union - Your rights and how to exercise them to help you exercise your right to data protection. This guide gives you information about the rights encompassed under the EU law on data protection as well as information on how to use these rights.

The European Union General Data Protection Regulation is a positive framework for users’ protection and can help you take back the control of your personal information. This law replaces and strengthens the 1995 Data Protection Directive. Access Now is a strong supporter of the GDPR. In fact, we worked with lawmakers in to strengthen users’ protections throughout the introduction, negotiations, and adoption of the law. After almost five years of debate, the GDPR became applicable on 25 May 2018. With this guide, we aim to contribute to the long-term mission of the GDPR by giving you the necessary information and tools to exercise your rights.

We invite you to read this guide carefully, so you can use your rights to make data protection a reality.

Brussels, July 2018

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 4 WHAT IS THE GENERAL DATA PROTECTION REGULATION?

Personal data is any information Data protection refers to the relating to you, whether it relates to practices, safeguards, and binding your private, professional, or public rules put in place to protect your life. In the online environment, personal information and ensure where vast amounts of personal that you remain in control of it. data are shared and transferred In short, you should be able to around the globe instantaneously, decide whether or not you want it is increasingly difficult for to share some information, who people to maintain control of their has access to it, for how long, and personal information. This is where for what reason, and to be able to data protection and laws such as modify some of this information, the GDPR come in. and more. In the EU, these rules are defined under the General Data Protection Regulation. The GDPR is a user-centric law which aims to put you back in control of your personal data, providing for the broad spectrum of users’ rights presented in this guide.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 5 WHAT IS THE GENERAL DATA PROTECTION REGULATION?

Under the GDPR, both private companies such as Facebook, Microsoft, Dropbox, Amazon, or Spotify and government bodies have the obligation to ensure the protection of your personal data. To be protected under the GDPR, you have to either be a citizen of the European Union or be located in the EU, no matter where you are from.

The GDPR comes with a robust enforcement mechanism which empowers data protection authorities to investigate data practices and fine companies or public entities up to 4% of their total worldwide annual turnover if they ignore their legal obligations and commit repeated, serious infringements of your rights. These fines are significant and proportionate to the gravity of the infringement on individuals’ fundamental rights. For far too long, a handful of companies have been diligently ignoring the EU’s data protection norms, which have been in place since 1995. With this new framework, the data protection authorities are better equipped to deal with free riders.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 6 What are my rights? THE RIGHT TO INFORMATION

When a company, a government body, or an organisation collects and uses information about you, All this information should be provided to you in a you have the right to get information about: concise, transparent, intelligible way, using clear • the name of the entity using your data, and plain language. This means that an entity must • the contact information of the person or department in charge of personal data protection at this entity, have terms of service and a privacy policy that are easily • the reason for which the entity will use your data, understood, which has not typically been the case. • the type of personal data the entity holds about you, Relevant article under the length of time your data will be kept, • the GDPR: Articles 12, 13, • whether your data will be shared with third parties and and 14. who they are,

• whether your data will be used for automated decision- making via algorithms,

• whether data will be moved outside the EU, • your other basic data protection rights, • your right to file a complaint, and • what legal basis has been used to authorise the collection and use of your personal data. There are six legal grounds authorising entities to use personal data under the GDPR, such as your explicit and informed consent or the execution of a contract.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 7 What are my rights? THE RIGHT OF ACCESS

No matter how your information was collected, you You can exercise this right have the right to ask for and obtain information from a several times at reasonable company, a government body, or an organisation as to intervals, but if your whether it holds any personal data about you. requests are repetitive, an entity may ask a fee from If an entity has information about you, you then have the second request. Keep in mind that this right is not the right to be provided, free of charge, a copy of your absolute. If your request data and any relevant additional information regarding impacts the rights and the reason your information was collected and used, freedoms of others, you how long it has been kept, whether it was disclosed to may receive only a partial copy of this information, or a third party, and more. Unless you ask otherwise, you none. However, the entity will be provided a copy of your data electronically (e.g., shall explain why it was not via email or online forms). possible to provide you with the information.

Relevant article under the GDPR: Article 15

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 8 What are my rights? THE RIGHT TO RECTIFICATION

You have the right to amend and modify the information Once you have notified the that a company, government body, or organisation has entity, it has the obligation about you if this information is incorrect, incomplete, to change your information or inaccurate (for instance, if you have changed your within a month. During this contact details or residence). period, the entity can refuse to modify the information but must then notify you and explain why.

Relevant article under the GDPR: Article 16

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 9 What are my rights? THE RIGHT TO RESTRICT PROCESSING

Under certain circumstances, you have the right In addition, when you have to request that a company, government body, or consented to use of your organisation stop using or limit the use of information personal data, you have about you so that you can verify the way that the entity the right to withdraw that is using it. consent at any time by notifying the entity. As an example, you can exercise this right when: Relevant article under the • it is unclear whether and when personal data about GDPR: Article 18 you will be deleted,

• the accuracy of the data is contested,

• the data is no longer needed for the purposes it was originally collected but it cannot be deleted because of legal obligations, and

• you have exercised your right to object to the use of your data altogether but the decision is pending.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 10 What are my rights? THE RIGHT TO ERASURE

You have the right to ask for the deletion of your Keep in mind that when personal data when: you ask that your data be deleted, companies may • a company, government body, or organisation holds retain information they information about you that is no longer needed (for have created based on instance, if you have chosen to leave a service or a your data. For instance, platform), or a company like Facebook • your data has been used unlawfully. that creates profiles or makes assumptions about In addition, personal data that you provided before you you based on your “likes” were 16 years old can be deleted at any time at your or browsing habits may keep that information. We request. The age requirement for children may vary in encourage you to request some EU states from 13 to 16 years old. deletion of this information explicitly when you leave a platform, and if they fail to act, to bring a complaint.

Relevant article under the GDPR: Article 17

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 11 What are my rights? THE RIGHT TO OBJECT

You have the right to object to the collection, use, Your right to object to use and storage of your personal data by a company, of your data for decision- government body, or organisation when: making that is based solely on automated processes your data is being used for direct marketing • is perhaps one of the most (After your request, the entity must stop using your important rights in the personal data and comply with your request free of era of big data. Through charge.), techniques like profiling, your information is gathered • your data is being used for automated decision making, including profiling, where no human to be evaluated, analysed, and used to predict your intervention or review will take place, behaviour and make • your data is being used for scientific or historical assumptions about you. This research and statistics, and practice is fundamentally contrary to your right to • your data is being used for an entity’s “legitimate privacy and can be highly interest” or in carrying out a task in the public discriminatory. interest. Even if your right to object In the last two scenarios, your right to object may be is limited under national limited if the entity can demonstrate that the use of laws, we encourage you to your data is necessary and that the reason for using it exercise this right and bring overrides your interests, rights, and freedoms. a complaint if necessary.

Relevant article under the GDPR: Article 21

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 12 What are my rights? THE RIGHT TO AN EXPLANATION

When your data is used to make a decision about Relevant article under the you, with an automated process such as the use GDPR: Recital 71, Articles of algorithms, you have the right to be given an 13 to 15 explanation about its functioning. While the GDPR does not spell out details about the information you should receive, we recommend that you at least request:

• the information that was entered into the automated system,

• the reason for the use of the automated system (for example to calculate a credit or insurance rate, or decide on hiring),

• the objective of the use of the automated system (for example to speed up processes, or to limit mathematical errors),

• whether a human intervention and review of the process and decision will take place (if not, you have the right to object to the use of such an automated system), and

• your ability to challenge the decision made through use of the automated system, and to ask for a review.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 13 What are my rights? THE RIGHT TO DATA PORTABILITY

You have the right to move your data from one service This right is a novelty under to another, and as such, to receive a file with your data protection law and can information in a structured, commonly used, and help foster innovation and machine-readable format. This means that if you competition in the digital wish to move to a new social media platform, for era, since it allows users to example, you can do so quickly and easily by taking more easily switch between your data from the old platform to the new one. When platforms. However, in order for this right to deliver its it is technically feasible, you can directly request that promise and for users and your personal data be transferred to another company innovators to truly benefit whose services you would like to use. This right from it, it will be important relates only to information that you have provided to to develop and implement companies. Any data that companies collect or create interoperability standards based on your data will not necessarily be provided in a between services. This means that platforms portable file. should use a similar format for entering data.

Relevant article under the GDPR: Article 20

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 14 HOW CAN I EXERCISE MY RIGHTS?

You can exercise all the rights mentioned above by sending an email to any company, government body, or organisation that holds data about you.

Most entities have a dedicated The email could be as simple as follows: email address that you can use to exercise your rights which can be found in the terms of service or Dear xxx, privacy policies that are required Pursuant to the EU General Data Protection Regu- to be available online. We know lation, I would like to exercise my right to withdraw these policies are typically long consent to the processing of my data / right of access / (although this should improve right to erasure / right to object to the processing of my data / right to rectification / right to restrict processing / under the GDPR). However, we right to an explanation / right to portability, linked to my encourage you to take a look and name and/or email address. search for a contact address. If you cannot find contact informa- I look forward to hearing back from you.

tion, that conflicts with your right Best regards, to information and you can bring xxx this matter to a data protection authority (see next point).

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 15 HOW CAN I EXERCISE MY RIGHTS?

Below are some examples of points of contact provided by companies for you to exercise your rights. We are giving examples from different industries, not just the technology industry, since the GDPR applies to any entity collecting data about you.

For Thalys, contact the company data protection For the Belgian Passenger Information Unit, officer at [email protected] which collects, uses, and retains data for five years when a traveler enters the country by For Eurosport, contact the platform data protec- plane, boat, train, or bus, you can contact the tion officer at [email protected] data protection office at [email protected] or DPO - Leuvenseweg 1, 1000 Brussels. For Zalando, you can find a specific contact information based on your spoken language in Google allows you to exercise some of your rights Chapter 13 of the company’s privacy statement: through its privacy policies: https://policies. https://www.zalando.be/zalando-privacy-state- google.com/privacy?hl=en&gl=be#infochoices ment/#chapter-13 and you can also send an email to Google’s data protection office via this form: https://support. For British Airways, you can request a copy of google.com/policies/contact/general_priva- your data at [email protected]. You can also verify and cy_form. We also encourage you to take a few modify the way that British Airways uses your minutes to review and adjust controls for how data at: https://www.britishairways.com/travel/ and when Google can use your information, both permissionscentre/public/ for your account https://myaccount.google.com/ privacycheckup and specifically for the use of For Palantir, send an email to data-subject-re- ads https://adssettings.google.com/authenticat- [email protected] ed?hl=en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 16 WHAT CAN I DO IF MY RIGHTS HAVE BEEN VIOLATED OR MY DATA MISUSED?

You can exercise all the rights mentioned above at any point in time. If you think your data protection rights or other related privacy rights have been breached, you can take legal action, which has been made easier under the GDPR:

You can file a complaint with the data protection authority (DPA) of the EU country where you are located. DPAs are independent public authorities that monitor, supervise, and enforce the application of the GDPR. They are here for you. The DPA has the obligation to inform you about the progress of any complaint three months after you file it. If at any point you are dissatisfied with the response from the DPA handling your complaint, you can bring the authority to court. The table below gives you information and contact points for every DPA in the EU.

You can file a case in court against a company, a government body, or an organisation. You can do this instead of, or in addition to, filing a complaint with your data protection authority.

You have the right for a non-governmental organisation (NGO) to file a com- plaint on your behalf if the NGO is legally established, its activities are protecting individuals or the public interest, and the NGO has expertise in the area of data protection. This avenue is important to empower you if your complaint or case is lengthy and complex. Having the option of NGO representation opens more avenues for remedy, increasing the chances that violation of your rights will not go unpunished.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 17 WHERE SHOULD I GO IF MY RIGHTS HAVE BEEN VIOLATED OR MY DATA MISUSED?

Austria Cyprus Österreichische Datenschutzbehörde Commissioner for Personal Data Protection Hohenstaufengasse 3 1 Lasonos Street 1010 Wien 1082 Nicosia ! Tel. +43 1 531 15 202525 P.O. Box 23378, CY-1682 Nicosia % [email protected] ! Tel. +357 22 818 456 > https://www.dsb.gv.at/ % [email protected] > http://www.dataprotection.gov.cy/ Belgium Commission de la protection de la vie privée Czech Republic Rue de la Presse 35 The Office for Personal Data Protection 1000 Bruxelles Pplk. Sochora 27 ! Tel. +32 2 274 48 00 170 00 Prague 7 % [email protected] ! Tel. +420 234 665 111 > https://www.privacycommission.be/ % [email protected] > https://www.uoou.cz/ Bulgaria Commission for Personal Data Protection Denmark 2, Prof. Tsvetan Lazarov blvd. Datatilsynet Sofia 1592 Borgergade 28, 5 ! Tel. +359 2 915 3523 1300 Copenhagen K % [email protected] ! Tel. +45 33 1932 00 > https://www.cpdp.bg/ % [email protected] > https://www.datatilsynet.dk/ Croatia Croatian Personal Data Protection Agency Estonia Martićeva 14 Estonian Data Protection Inspectorate 10000 Zagreb Väike-Ameerika 19 ! Tel. +385 1 4609 000 10129 Tallinn % [email protected] ! Tel. +372 6274 135 > http://www.azop.hr/ % [email protected] > http://www.aki.ee/en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 18 WHERE SHOULD I GO IF MY RIGHTS HAVE BEEN VIOLATED OR MY DATA MISUSED?

Finland Hungary Office of the Data Protection Data Protection Commissioner of Hungary P.O. Box 315 Szilágyi Erzsébet fasor 22/C FIN-00181 Helsinki H-1125 Budapest ! Tel. +358 10 3666 700 ! Tel. +36 1 3911 400 % [email protected] % [email protected] > https://tietosuoja.fi/en/home > http://www.naih.hu/

France Ireland Commission Nationale de l’Informatique et des Libertés Data Protection Commissioner - CNIL Canal House - Station Road 8 rue Vivienne, CS 30223 Portarlington F-75002 Paris, Cedex 02 Co. Laois ! Tel. +33 1 53 73 22 22 ! Tel. +353 57 868 4800 w https://www.cnil.fr/fr/plaintes % [email protected] > https://www.cnil.fr/ > https://www.dataprotection.ie/

Germany (Federal) Italy Die Bundesbeauftragte für den Datenschutz und die Garante per la protezione dei dati personali Informationsfreiheit Piazza di Monte Citorio, 121 Husarenstraße 30 00186 Roma 53117 Bonn ! Tel. +39 06 69677 1 ! Tel. +49 228 997799 0 % [email protected] % [email protected] > https://www.garanteprivacy.it/ > https://www.bfdi.bund.de/ Latvia Greece Data State Inspectorate Hellenic Data Protection Authority Director: Ms Signe Plumina Kifisias Av. 1-3, PC 11523 Blaumana str. 11/13-15 Ampelokipi Athens 1011 Riga ! Tel. +30 210 6475 600 ! Tel. +371 6722 3131 % [email protected] % [email protected] > http://www.dpa.gr/ > http://www.dvi.gov.lv/

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 19 WHERE SHOULD I GO IF MY RIGHTS HAVE BEEN VIOLATED OR MY DATA MISUSED?

Lithuania Poland State Data Protection The Bureau of the Inspector General for the Protection Žygimantų str. 11-6a of Personal Data - GIODO 011042 Vilnius ul. Stawki 2 ! Tel. +370 5 279 14 45 00-193 Warsaw % [email protected] ! Tel. +48 22 53 10 440 > https://www.ada.lt/ % [email protected] > https://giodo.gov.pl/ Luxembourg Commission Nationale pour la Protection des Données Portugal 1, avenue du Rock’n’Roll Comissão Nacional de Protecção de Dados - CNPD L-4361 Esch-sur-Alzette R. de São. Bento, 148-3° ! Tel. +352 2610 60 1 1200-821 Lisboa % [email protected] ! Tel. +351 21 392 84 00 > https://cnpd.public.lu/ % [email protected] > https://www.cnpd.pt/ Malta Office of the Data Protection Commissioner Romania 2, Airways House The National Supervisory Authority for Personal Data High Street, Sliema SLM 1549 Processing ! Tel. +356 2328 7100 B-dul Magheru 28-30 % [email protected] Sector 1, BUCUREŞTI > http://www.dataprotection.gov.mt/ ! Tel. +40 21 252 5599 % [email protected] > http://www.dataprotection.ro/ The Netherlands Autoriteit Persoons Gegevens Prins Clauslaan 60 Slovakia P.O. Box 93374 Office for Personal Data Protection of the Slovak Republic 2509 AJ Den Haag/The Hague Hraničná 12 ! Tel. +31 70 888 8500 820 07 Bratislava 27 % [email protected] ! Tel. + 421 2 32 31 32 14 > https://autoriteitpersoonsgegevens.nl/nl % [email protected] > https://dataprotection.gov.sk/uoou/

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 20 WHERE SHOULD I GO IF MY RIGHTS HAVE BEEN VIOLATED OR MY DATA MISUSED?

Slovenia Sweden Information Commissioner Datainspektionen Zaloška 59 Drottninggatan 29 1000 Ljubljana 5th Floor ! Tel. +386 1 230 9730 Box 8114 % [email protected] 104 20 Stockholm > https://www.ip-rs.si/ ! Tel. +46 8 657 6100 % [email protected] > https://www.datainspektionen.se/ Spain Agencia de Protección de Datos C/Jorge Juan, 6 28001 Madrid The Information Commissioner’s Office ! Tel. +34 91399 6200 Water Lane, Wycliffe House % [email protected] Wilmslow - Cheshire SK9 5AF > https://www.agpd.es/ ! Tel. +44 1625 545 745 % [email protected] > https://ico.org.uk

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 21 CONCLUSION

In the digital era, ensuring that your data are protected is essential. Misuse of data can result in discriminatory decisions, violation of privacy rights, identity theft, fraud, and more. This is why you must be in control of your information. The data protection rights safeguarded under the GDPR and presented in this guide will help put you back in control.

For far too long, data protection laws have been ignored because of weak enforcement mechanisms. Now that the law has changed in the EU, we have a responsibility to help make data protection a reality and hold the entities collecting, using, and storing our data accountable for infringement of our rights. We invite you to use this guide to start exercising your rights.

Additional resources Want to know more about data protection and the GDPR? Here are some useful resources:

• European awareness campaign: the GDPR explained https://gdprexplained.eu

• Access Now’s blog post on why data protection matters https://www.accessnow.org/data-protection-matters-protect

• EDRi’s paper on data protection https://edri.org/wp-content/uploads/2013/10/paper06_web_20130128.pdf

• European Commission’s tool on the GDPR - citizens’ guide https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 22 Access Now defends and extends the digital rights of users at risk around the world. By combining direct technical support, comprehensive policy engagement, global advocacy, grassroots grantmaking, and convenings such as RightsCon, we fight for human rights in the digital age. https://www.accessnow.org